John – everybody’s most favorite ripper

What is that?

John does one thing and does that very well:

It can find the corresponding password for a given hash.

John has different ways to do this – we are looking at the wordlist-mode here.

We will talk about hashes in a different article – for now we just say that a has-function is a one-way function to encode a string of variable length into a fixed-length string.

If we use MD5 for example that would look like this:

you see: 2 strings of different length are transformed into 2 different strings of the same length.

But if its a one-way function how does John mange to go the reverse way? finding a string from its hash?

Well – John doesn’t.

John just takes every item in a wordlist, calculates the hash for each word in it and compares that hash with the given hash.

If the hashes match – John found the corresponding password.

This is a very basic overview – so lets see how it works

Lets first create a MD5 hash of a very simple password.

echo -n "password" | md5sum

It is really important to use th -n switch. Otherwise echo would append a newline to the string and that would become also part of the hash

“password” and


are completely different hashes.

If we have this hash in a real world szenario we of course don’t know what hash tyoe it is (for there are many)

You can use many different tools for checking the hash-type. We will use hash-identifier here wich is also part of kali.

hash-identifier 7576f3a00f6de47b0c72c5baf2d505b0

As expected: that is a MD5 hash.

Now let’s feed it into John:

echo -n "5f4dcc3b5aa765d61d8327deb882cf99" > password_md5.txt
john --wordlist=/usr/share/wordlists/rockyou.txt password_md5.txt --format=raw-md5 --fork=4

You can ignore the –fork=4 here.

We are telling John here to use the rockyou wordlist to calculate md5 hashes and then compare each hash to the hash in the file password_md5.txt
When the hash in password_md5.txt matches a hash John caculates from the rockyou list – we have the original password.

You have to know where to look – but we see that John found the phrase “password”

Lets just for the fun of it run the same command again:

So what happened here? When running the same command on the same hash for the second time – we get no results. How come?

Well – it turns out John is smart enough to remember wich hashes he already cracked – and to save computing power he doesn’t crack the same hash twice.

So when you see the 

No password hashes left to crack (see FAQ)

message you want to do this:

john --show password_md5.txt --format=raw-md5

This tells John to look for that hash in the list of hashes the he cracked earlier.

You can also easily have a look at the file where John stores the information about hashes that where already cracked.

cat ~/.john/john.pot

This is basically how you will use John most of the time. 

There are other modes  in that John can operat. Like bruteforcing or even use an external programm to generate passwords.

We will look at these modes in a different article.

Leave a Reply

Your email address will not be published. Required fields are marked *